// Module included in the following assemblies: // // * security/encrypting-etcd.adoc // * post_installation_configuration/cluster-tasks.adoc [id="enabling-etcd-encryption_{context}"] = Enabling etcd encryption You can enable etcd encryption to encrypt sensitive resources in your cluster. [WARNING] ==== It is not recommended to take a backup of etcd until the initial encryption process is complete. If the encryption process has not completed, the backup might be only partially encrypted. ==== .Prerequisites * Access to the cluster as a user with the `cluster-admin` role. .Procedure . Modify the `APIServer` object: + [source,terminal] ---- $ oc edit apiserver ---- . Set the `encryption` field type to `aescbc`: + [source,yaml] ---- spec: encryption: type: aescbc <1> ---- <1> The `aescbc` type means that AES-CBC with PKCS#7 padding and a 32 byte key is used to perform the encryption. . Save the file to apply the changes. + The encryption process starts. It can take 20 minutes or longer for this process to complete, depending on the size of your cluster. . Verify that etcd encryption was successful. .. Review the `Encrypted` status condition for the OpenShift API server to verify that its resources were successfully encrypted: + [source,terminal] ---- $ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}' ---- + The output shows `EncryptionCompleted` upon successful encryption: + [source,terminal] ---- EncryptionCompleted All resources encrypted: routes.route.openshift.io, oauthaccesstokens.oauth.openshift.io, oauthauthorizetokens.oauth.openshift.io ---- + If the output shows `EncryptionInProgress`, this means that encryption is still in progress. Wait a few minutes and try again. .. Review the `Encrypted` status condition for the Kubernetes API server to verify that its resources were successfully encrypted: + [source,terminal] ---- $ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}' ---- + The output shows `EncryptionCompleted` upon successful encryption: + [source,terminal] ---- EncryptionCompleted All resources encrypted: secrets, configmaps ---- + If the output shows `EncryptionInProgress`, this means that encryption is still in progress. Wait a few minutes and try again.